IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS FL Jones and DV Rama

IDENTIFYING RISKS AND IDENTIFYING RISKS AND CONTROLS IN BUSINESS CONTROLS IN BUSINESS

PROCESSPROCESS

FL Jones and DV Rama

Objectives of Internal Objectives of Internal Control (SAS No. 94)Control (SAS No. 94)

Objectives of Internal Objectives of Internal Control (SAS No. 94)Control (SAS No. 94)

1. Reliability of financial reporting2. Effectiveness and efficiency of

operations3. Compliance with applicable laws and

regulations

A process … designed to provide reasonable assurance regarding the objectives :

1. Control environment2. Risk assessment3. Control activities4. Information and communication 5. Monitoring

Elements of Internal ControlElements of Internal Control

1. Control environment2. Risk assessment3. Control activities4. Information and communication

5. Monitoring

Elements of Internal ControlElements of Internal Control

Integrity, ethical values, Management philosophy and

operating style, and organizational structure influences the control

environment.

Integrity, ethical values, Management philosophy and

operating style, and organizational structure influences the control

environment.

1. Control environment2. Risk assessment3. Control activities4. Information and communication5. Monitoring

Elements of Internal ControlElements of Internal ControlElements of Internal ControlElements of Internal Control

Once risks are identified, they can be analyzed to estimate their significance, to assess their likelihood of occurring, and to determine actions that will minimize them.

Once risks are identified, they can be analyzed to estimate their significance, to assess their likelihood of occurring, and to determine actions that will minimize them.

1. Control environment2. Risk assessment3. Control activities4. Information and communication5. Monitoring


Control ActivitiesControl ActivitiesControl ActivitiesControl Activities

Performance reviews Segregation of duties Application controls General controls

1. Control environment2. Risk assessment3. Control procedures4. Information and communication5. Monitoring


The company’s information system is a collection of procedures (automated and manual and records established to

initiate, record, process, and report the events in an entity’s process

Communication involves providing an understanding of individual roles

and responsibilities

The company’s information system is a collection of procedures (automated and manual and records established to

initiate, record, process, and report the events in an entity’s process

Communication involves providing an understanding of individual roles

and responsibilities

1. Control environment2. Risk assessment3. Control procedures4. Information and communication5. Monitoring


1. Execution2. Information System3. Asset protection4. Performance

Objectives and RiskObjectives and RiskObjectives and RiskObjectives and Risk



1. Execution

2. Information System3. Asset protection4. Performance


Proper execution of transactions in the revenue and acquisition cycles

1. Execution

2. Information System3. Asset protection4. Performance


Proper execution of transactions in the revenue and acquisition cycles

Risk of not achieving execution objectives



1. Execution2. Information System

3. Asset protection4. Performance


Proper recording, updating, and reporting of data in an information system

1. Execution2. Information System

3. Asset protection4. Performance


Proper recording, updating, and reporting of data in an information system

Risk of not achieving information system objectives



1. Execution2. Information System3. Asset protection

4. Performance


Safeguarding of assets

1. Execution2. Information System3. Asset protection

4. Performance


Safeguarding of assets

Risk of loss or theft of assets





Favorable performance of an organization,Person, department, product, or service



Favorable performance of an organization,Person, department, product, or service

Risk of not achieving performance objectives

Other Classifications of Control Plans• Preventive Controls: Issue is prevented from

occurring – cash receipts are immediately deposited to avoid loss

• Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation

• Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data

Business Process Control Plans• Business Process Control Plans - reflect information processing

policies and procedures that assist in accomplishing control goals– The Control Environment The fact that the control environment appears at

the top of the hierarchy illustrates that the control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans.

– Pervasive control plans also relate to a multitude of goals and processes• Like the control environment, they provide a climate or set of

surrounding conditions in which the various business processes operate.• They are broad in scope and apply equally to all business processes,

hence they pervade all systems.– Business process control plans relate to those controls particular to a

specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.

Control Goals of Information Process

• Update completeness– Requires all events entered into the computer are reflected in their

respective master data

– Ex. Are all input cash receipts recorded in the AR master data?

• Update accuracy– Requires that data entered into a computer are reflected correctly in their

respective master data

– Ex. Are all input cash receipts correctly recorded in the AR master data?

Control Goals of Information Process

• Input validity– Input data approved and represent actual economic events and objects– Ex. Are all cash receipts input into the process and supported by customer

payments

• Input completeness– Requires that all valid events or objects be captured and entered into the

system– Ex. Are all valid customer payment captured on a customer remittance advice

(RA) and entered into the process? Input accuracy (correct data entered correctly)

• Input Accuracy– Requires that events be correctly captured and entered into the system– Ex. Is correct payment amount and customer number on the RA? – Ex. Is the correct payment amount and customer number keyed into the

system?

Control Goals of the Information Process

• For business event inputs, ensure

– Input validity

– Input completeness

– Input accuracy

• For master data, ensure

– update completeness

– update accuracy

Control Goals of Operations Process• Ensure effectiveness of operations

– A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes

– Ex. Deposit cash receipts on the day received

• Ensure efficient employment of resources– A measure of the productivity of the resources applied to achieve a set of

goals

– Ex. What is the cost of people, computers, and other resources to deposit cash on the day received

• Ensure security of resources– Protecting an organization’s resources from loss, destruction, disclosure,

copying, sale, or other misuse

– Ex. Are cash and information resources available when required?

– Are they put to authorized use?

Control Goals of the Operations Process

• Ensure effectiveness of operations

• Ensure efficient employment of resources

• Ensure security of resources

Causeway Company Systems Flowchart

Ethics and Controls• COSO report stresses ethics as part of control

environment (tone at the top)

• AICPA has built ethics issues into CPA exam

• The Institute of Management Accountants has a code of ethics which is also tested on both the CMA and CFM exams

• Internal Auditing has ethics articles

• Many corporations have developed Codes of Conduct

General Control Model: Figure 7.1

(Text definition of IC cont.)

• Reflect management’s careful assessment of risks.

• Be based on management’s evaluation of costs versus benefits.

• Be built on management’s strong sense of business ethics and personal integrity.

Gelinas, Sutton & Hunton’s Working Definition of IC: Key Points

• A system of internal control is not an end in itself. Rather, it is a means to an end—the end of attaining process objectives

• Internal control itself is a system. Therefore, like any system it must – (1) have clearly defined goals and – (2) consist of interrelated components that act in concert to achieve those goals.– We can also say that internal control is a process

• Establishing a viable internal control system is management’s responsibility.• The strength of any internal control system is largely a function of the people

who operate it.• Internal control cannot be expected to provide absolute, 100% assurance that the

organization will reach its objectives. Rather, the operative phrase is that it should provide reasonable assurance

• Internal control is not free; controls should be built in and cost effective

COSO Report, SOA, and SAS 94• In the section addressing implementation of the Sarbanes Oxley

Act section 404, the SEC used the COSO description of internal control. – It went on to say that management must base its evaluation of the

effectiveness of its internal control system on a framework such as COSO– COSO report stresses internal control is a process

• A complementary perspective on internal control is found in Statement on Auditing Standards (SAS) 94, entitled “The Effect on Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.” – This standard guides auditors in understanding the impact of IT on internal

control and assessing IT-related control risks– Further, SAS 94 highlights how IT can be used to strengthen internal

control, while at the same time emphasizing how IT can actually weaken some controls

Five Interrelated Components of Internal Control

1. Control environment- tone at the top

2. Risk assessment - identification/analysis of risks

3. Control activities - policies and procedures

4. Information & communication - processing of info in a form and time frame to enable people to do their jobs

5. Monitoring - process that assess quality of internal control over time

Definition of Internal Control

• From SAS 78 (1995) - adopted COSO definition:– INTERNAL CONTROL is a process-effected by a an entity’s

board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness & efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws & regulations.

E&Y Fraud Survey• About 85 % of fraud committed by company insiders• About 55% of perpetrators were management employees• More fraud in less-developed countries• Only about 20 % of fraud comes to the public knowledge• About 40% of frauds are known to the public, 20% are kept

confidential, and the other 40% are not yet discovered• Best prevention is internal control, management reviews, and

internal audits• The #1 fraud worry to executives is asset misappropriation• The #2 fraud worry to executives is computer crime• Most organizations now have formal fraud prevention policies

including codes of corporate governance and employee conduct• Most useful fraud prevention techniques are internal controls,

management reviews, and internal audits

SAS 99• The accounting profession too has been proactive in

dealing with corporate fraud, as it has launched an anti-fraud program.

• One of the manifestations of this initiative is Statement on Auditing Standards (SAS) Number 99, entitled Consideration of Fraud in a Financial Statement Audit. – SAS 99 has the same title as its predecessor, SAS 82, but the new

standard is much more encompassing than the old. – For instance, SAS 99 emphasizes brainstorming fraud risks,

increasing professional skepticism, using unpredictable audit test patterns, and detecting management override of internal controls.

Fraud and its Relationship to Control

• Fraud: deliberate act or untruth intended to obtain unfair or unlawful gain.– Management charged with responsibility to prevent and/or

disclose fraud

– Control systems enable management to do this job

– Management responsible to provide internal control system per the Foreign Corrupt Practices Act of 1977

– Section 1102 of the Sarbanes-Oxley Act specifically addresses corporate fraud

– Instances of fraud undermine management’s ability to convince various authorities that it is upholding its stewardship responsibility

Common Business Exposures1. Erroneous recordkeeping

2. Unacceptable accounting

3. Business interruption

4. Erroneous management decisions

5. Fraud and embezzlement

6. Statutory sanctions

7. Excessive costs

8. Loss or destruction of resources

9. Competitive disadvantage

Why do we need controls?

• (1) to provide reasonable assurance that the goals of each business process are being achieved

• (2) to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts)

• (3) to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.

Documents

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS FL Jones and DV Rama